DOJ Evaluation of Corporate Compliance Programs
As we explained in an earlier article, the U.S. Department of Justice (DOJ) Fraud Section is both the Criminal Division’s largest litigating section and where much of DOJ policy on corporate compliance is set. With sole criminal responsibility for the Foreign Corrupt Practices Act (FCPA), as well as large corporate fraud and health care fraud units, the Fraud Section’s view of how it evaluates corporate compliance programs sets the tone not only for Fraud Section prosecutions, but across other criminal and civil enforcement agencies.
The new guidance breaks down the evaluation of corporate compliance programs into a series of eleven topics. Each of the eleven topics includes a series of questions. The guidance is formulated to evaluate compliance programs after a failure has been discovered, so many of the questions are framed using existing misconduct as the benchmark against which the compliance program will be evaluated. Nonetheless, the guidance provides both an extremely useful roadmap for testing existing compliance programs and a set of steps that should be taken when problems are discovered to demonstrate a pre-existing commitment to compliance.
Below is a summary of the topics covered and the questions companies can expect DOJ to ask when it confronts corporate misconduct. The full DOJ document can be read here.
1. Analysis and Remediation of Underlying Misconduct
Has the corporation done an analysis to see if there was a systematic failure in compliance? Did the company miss prior opportunities to detect the misconduct? Has the company evaluated why those opportunities were missed? What remediation was undertaken once a problem was discovered? What specific changes has the company made to reduce the risk of a reoccurrence?
2. Senior and Middle Management
Did senior managers, through their words and actions, encourage or discourage the misconduct in question? Has senior leadership taken concrete steps to demonstrate commitment? Does the Board of Directors have access to the right expertise to help it perform its oversight function?
3. Autonomy and Resources
With the relatively recent hiring of full time compliance counsel at the Fraud Section, this has been a particular point of focus. Does the compliance function have the right resources and stature within the company to perform effectively? Was compliance involved in the training and decisions relevant to any misconduct? Does compliance have appropriate independence?
4. Policies and Procedures
Did the company have policies and procedures in place that prohibited the misconduct? Has the company assessed whether its policies and procedures were effectively implemented? Are key gatekeepers adequately trained? Was the program properly integrated and were adequate controls put in place to detect misconduct?
5. Risk Assessment
What methodology has the company used to identify, analyze and address the particular risks it faced? Does the company collect information and metrics to adequately assess risks?
6. Training and Communications
What training was in place and is it properly tailored for high-risk or control employees? Is the training offered in the right form and language for the target employees? How does the company communicate to employees about any misconduct that does occur?
7. Confidential Reporting and Investigation
Does the company have in place an effective way of collecting and analyzing allegations of misconduct? Does the company ensure that investigations have been properly scoped, conducted, and documented? Did the investigation look to root causes of the misconduct? Did the investigation go high up enough in the company?
8. Incentives and Disciplinary Measures
Is there proper accountability as demonstrated by discipline for managers under whose watch misconduct occurred? Is the application of discipline consistent? Is there an incentive program for good compliance and ethical behavior? Can the company point to specific examples of actions taken (promotions or awards denied) as a result of compliance and ethics considerations?
9. Continuous Improvement, Periodic Testing, and Review
What types of audits would have identified the misconduct at issue and were they conducted? Did management and the board follow up on audit findings and failures? Does the company test its controls? Does the company routinely update its compliance program and make sure it adequately addresses current risks?
10. Third Party Management
Does the company’s third party management process adequately analyze risk? Are there appropriate controls with regard to third parties? Does the company adequately respond to third party red-flags? Has the company suspended, terminated, or audited a third party as a result of compliance issues?
11. Mergers and Acquisitions (M&A)
In the event misconduct is discovered after a merger, was proper due diligence conducted during the M&A process? How has the compliance function been integrated into the M&A process?
If there is an overarching theme to be divined from the Fraud Section’s guidance, it is that DOJ wants to see compliance programs that are both thoughtful and flexible. Compliance programs need to be thoughtful in that they are both designed to encourage good behavior and appropriate to the risk that a particular entity faces. Compliance programs must be flexible in that they need to evolve as a company’s risks evolve. As companies expand into new areas of business or start operations in different parts of the world, their compliance functions must be part of that process so that new risks are not ignored and are appropriately incorporated into the program. While no compliance program will be perfect, DOJ’s latest guidance provides companies a model against which they can measure existing programs and make changes where appropriate.